Method for accelerating cryptographic operations on elliptic curves

ABSTRACT

This invention provides a method for accelerating multiplication of an elliptic curve point Q(x,y) by a scalar k, the method comprising the steps of selecting an elliptic curve over a finite field Fq where q is a prime power such that there exists an endomorphism ψ, where ψ (Q)=λ−Q for all points Q(x,y) on the elliptic curve; and using smaller representations k i  of the scalar k in combination with the mapping ψ to compute the scalar multiple of the elliptic curve point Q.

[0001] This invention relates to a method for performing computations incryptographic systems utilizing elliptic curves.

[0002] This application is a continuation-in-pat of U.S. patentapplication Ser. No. 09/885,959, filed on Jun. 22, 2001, which is acontinuation of International Application No. PCT/CA99/01222, filed onDec. 23, 1999, and claims the priority of Canadian Patent ApplicationNo. 2,257,008, filed on Dec. 24, 1998, the content of all of which isincorporated herein by reference.

BACKGROUND OF THE INVENTION

[0003] A public-key data communication system may be used to transferinformation between a pair of correspondents. At least part of theinformation exchanged is enciphered by a predetermined mathematicaloperation by the sender and the recipient may perform a complementarymathematical operation to decipher the information.

[0004] Each correspondent has a private key and a public key that ismathematically related to the private key. The relationship is such thatit is not feasible to determine the private key from knowledge of thepublic key. The keys are used in he transfer of data, either to encryptdata that is to be transferred or to attach a signature to allowverification of the authenticity of the data.

[0005] For encryption, one correspondent uses the public key of therecipient to encrypt the message and sends it to the recipient. Therecipient then uses her private key to decipher the message.

[0006] A common key may also be generated by combining one partiespublic key with the other parties private key. It is usual in such casesto generate new private and corresponding public keys for eachcommunication session, usually referred to as session keys or ephemeralkeys, to avoid the long-term keys of the parties being compromised.

[0007] The exchange of messages and generation of the public keys maytherefore involve significant computation involving exponentiation whenthe cryptographic system utilizes in Z*p, the finite field of integersmod p where p is a prime or the analogous operation of pointmultiplication when the system utilizes an elliptic curve. In anelliptic curve system, an ephemeral key pair is obtained by generating asecret integer, k and performing a point multiplication in the seedpoint Q to provide the ephemeral public key kQ. Similarly, thegeneration of a common ephemeral session key will require multiplicationof a public key k_(a)Q, which is a point on the curve, with a secretinteger kb of the other correspondent so that point multiplication isagain required.

[0008] A similar procedure is used to sign a message except that thesender applies his private key to the message. This permits anyrecipient to recover and verify the message using the senders publickey.

[0009] Various protocols exist for implementing such a scheme and somehave been widely used. In each case, however, the sender is required toperform a computation to sign the information to be transferred and thereceiver is required to perform a computation to verify the signedinformation.

[0010] In a typical implementation a signature component s has theform:—

s=ae+k (mod n)

[0011] where; in an elliptic curve crypto system,

[0012] P is a point on the underlying curve which is a predefinedparameter of the system;

[0013] k is a random integer selected as a short term private or sessionkey;

[0014] R=kP is the corresponding short term public key,

[0015] a is the long term private key of the sender;

[0016] Q=aP is the senders corresponding public key;

[0017] e is a secure hash, such as the SHA-1 hash function, of a messagem and the short term public key R; and

[0018] n is the order of the curve.

[0019] The sender sends to the recipient a message including m, s, and Rand the signature is verified by computing the value R¹=(sP−eQ) whichshould correspond to R. If the computed values correspond then thesignature is verified.

[0020] In order to perform the verification it is necessary to computethe point multiplications to obtain sP and eQ, each of which iscomputationally complex. Where the recipient has adequate computing,power this does not present a particular problem but where the recipienthas limted computing power, such as in a secure token or a “Smart card”application, the computations may introduce delays in the verificationprocess.

[0021] Key generation and signature protocols may therefore becomputationally intensive. As cryptography becomes more widely usedthere is an increasing demand to implement cryptographic systems thatarm faster and that use limited computing power, such as may be found ona smart card or wireless device.

[0022] Elliptic curve cryptography (ECC) provides a solution to thecomputation issue. ECC permits reductions in key and certificate sizethat translates to smaller memory requirements, and significant costsavings. ECC can not only significantly reduce the cost, but alsoaccelerate the deployment of smart cards in next-generationapplications. Additionally, although the ECC algorithm allows for areduction in key size, the same level of security as other algorithmswith larger keys is maintained.

[0023] However, there is still a need to perform faster calculations onthe keys so as to speed up the information transfer while maintaining alow cost of production of cryptographic devices.

[0024] Computing multiples of a point on an elliptic curve is one of themost frequent computations performed in elliptic curve cryptography, Onemethod of speeding up such computations is to use tables of precomputedmultiples of a point. This technique is more useful when a point isknown beforehand. However, there are cases when multiples of previouslyunknown points are required (for example, in ECDSA verification). Thusthere is a need for a system and method for facilitating pointmultiplications.

SUMMARY OF THE INVENTION

[0025] In general terms, the present invention represents the scalar kas a combination of components k_(i) and an integer λ derived from anendomonphisim in the underlying curve.

[0026] The method is based on the observation that, given an ellipticcurve (EC) having complex multiplication mapping over a finite field,there is an λ, which is he solution to aquadratic, for which the complexmultiplication mapping is equivalent to multiplying a point Q by λ. Itwill often be less computationally expensive to compute λQ via thecomplex multiplication map, compared to treating λ as a integer andperforming the EC multiplication. In practice, point multiplication byother scalars (not just λ) is required. It is also shown how themultiplication mapping may be used to compute other multiples of thepoint.

[0027] In accordance with this invention there is provided a method foraccelerating multiplication of an elliptic curve point Q(xy) by a scalark, the method comprising the steps of: selecting an elliptic curve overa finite field F such that there exists an endomorphismn ψ, whereψ(Q)=λ−Q for all points Q(xjy) on the elliptic curve; and using smallerrepresentation k_(i) of the scalar k in combination with the mapping ψto compute the scalar multiple of the elliptic curve point Q.

BRIEF DESCRIPTION OF THE DRAWINGS

[0028] These and other features of the preferred embodiments of theinvention will become more apparent in the following detaileddescription in which reference is made to the appended drawings wherein:

[0029]FIG. 1 is a schematic diagram of a communication system;

[0030]FIG. 2 is a flow chart showing the steps of implementing a firstembodiment of the present invention.

[0031]FIG. 3 is a flow chart showing the steps of providing parametersrequired to implement the method of FIG. 2.

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS

[0032] For convenience in the following description, like numerals referto like structures in the drawings. Referring to FIG. 1, a datacommunication system 10 includes a pair of correspondents, designated asa sender 12, and a recipient 14, connected by a communication channel16. Each of the correspondents 12,14 includes a cryptographic processor18,20 respectively that may process digital information and prepare itfor transmission through the channel 16 as will be described below. Eachof the correspondents 12,14 also includes a computational unit 19,21respectively to perform mathematical computations related to thecryptographic processors 18,20. The processors 18,20 maybe embodied inan integrated circuit incorporated in the processor or may beimplemented as instructions encoded on a data carrier to implement apredetermined protocol in conjunction with a general purpose processor.For the purpose of illustration it will be assumed that thecorrespondent 12 is in the form of a smart card having a dedicatedprocessor 18 with relatively limited computing power. The processor 20may be a central server communicating with the card by channel 16 andchannel 16 may be a wireless communication channel if preferred.

[0033] The cryptographic processors 18 implement an elliptic curvecryptographic system, of ECC, and one of the functions of thecryptographic processor 18 is to perform point multiplications of theform k−Q, where k is an integer and Q a point on the underlying ellipticcurve, so that they may be used as a key pair k, kQ in a cryptographicscheme. As noted above, cryptographic computations such as themultiplication of an elliptic curve point by a scalar value arecomputationally expensive.

[0034] A method for accelerating scalar multiplication of an ellipticcurve point Q(xy) is shown in FIG. 2 and indicated generally by thenumeral 50. The subject algorithm increases the speed at which theprocessors 12 can for example sign and verify messages for specificclasses of elliptic curves. The method is based on the observation thatgiven the general equation for an elliptic curve E:

y²+a₁xy+a₃y=x³+a₂x²+a₄x+a₆  (1)

[0035] over a finite field, exemplified as F_(q) (q is a prime power)and when there exists an endomorphism ψ, where ψ(Q)=λ−Q for all pointsQ(x,y) on the elliptic curve, then multiplication of the point Q by aninteger k may be accelerated by utilizing combinations of smallerrepresentations k_(i) of k in combination with the mapping ψ. Themapping ψ also allows precomputation of group elements and combinationsthereof, which maybe used in subsequent calculation of kQ.

[0036] Referring now to FIG. 2, a flow chart of a general embodiment foraccelerating point multiplication on an elliptic curve, is shown bynumeral 50. The system parameters are first selected. As an initial stepan underlying elliptic curve E is selected to have certaincharacteristics. In a first embodiment of the invention the generalizedelliptic curve (1) may be expressed in the following form:

E:y²=x³+b mod p; where p is a prime.  (2)

[0037] Firstly, the modulus p can be determined such that there is anumber, γ where γ ∈ F_(p) (F_(p) is the field of size p consisting ofall integers mod p), and γ³≡1 mod p (a cube root of unity). If forexample p=7, then γ=2, since 2³ mod 7=1. Such a γ does not necessarilyexist for all p, and therefore this must be taken into considerationwhen choosing the value of p. Typically, the chosen p should be at least160 bits in length for adequate cryptographic strength.

[0038] After the curve E has been selected, a mapping function ψ isdetermined. The mapping function ψ: (x,y)→(γx, y), simply maps one setof points on the curve to another set of points on the curve. Thereexists an integer λ such that ψ(Q)=λ−Q for all points Q(x,y) of intereston the elliptic curve, E. This integer λ may be found by noting thatλ³≡1 mod n, where n is the number of points on the elliptic curve E overF_(p) i.e. the number of points on E(F_(p)). There may exist more thanone solution for λ in λ³≡1 mod n, but only one of those solutions willsatisfy the mapping function ψ. It is important to note that since λ³mod p=1, both Q and ψ(Q) satisfy the equation for E. Therefore, insteadof having to perform lengthy calculations to determine the results ofmultiplication by λ, it can be done very efficiently using the resultsof the mapping function so that multiplication by λ can be done veryefficiently.

[0039] A seed point Q is selected and the system parameters E, p, Q, λ,ψ(Q), and γ are stored in the card 12, as indicated at 52, atmanufacture time for use by the cryptographic processor 18. To implementa cryptographic procedure such as encryption, key agreement or signatureit is necessary to select an integer k for use as an ephemeral privatekey k and generate a corresponding public key kQ.

[0040] The value of k may be expressed as:—

k=(k₀+k₁λ)mod n  (3)

[0041] where n is the number of points on E(F_(p)) and k₀ and k₁ areintegers. The point k−Q then becomes:

k−Q=(k₀Q+k₁λQ)mod n  (4)

[0042] For some cryptographic operations the value of k may be chosen atrandom and in these cases, rather than select k it is possible to selectvalues for k₀ and k₁ at random, having a length of [log₂(n)]/2 notincluding sign bits, (i.e. the length of the k₁'s are chosen to be atleast one half the length k) and then calculate the value for k usingequation (3). Having selected the values of k₀, k₁ as indicated a 54 inFIG. 2, the right side of equation (4) can be calculated quickly usingan algorithm analogous to the “Simultaneous Multiple Exponentiation” asdescribed in the “Handbook of Applied Cryptography” (HAC) by Menezes et.al.(Algorithm 14.88) and indicated at 56. For convenience the algorithmis reproduced below. It may be noted that in an additive groupexponentiation is analogous to addition, thus replacing themultiplication in the algorithm with addition, yields the following:Algorithm 1 Simultaneous Multiple Addition INPUT; group elements g₀, g₁,..., g_(l−1) and non negative t-bit integers e₀, e₁, ..., e_(l−1).OUTPUT: g₀e₀ + g₁e₁ + ... + g_(l−1)e_(l−1). step 1. Precomputation. Fori from 0 to (2^(l) − 1): G_(i) ← Σ_(j=0) ^(l−1)g_(j)i_(j) where i =(i_(l−1) ... i₀)₂ step2. A ← 0 step3. For i from 1 to t do thefollowing: A ← A + A,A ← A + G_(i) _(t) step4. Return (A) where A =g₀e₀ + g₁e₁ + ... + g_(l−1)e_(l−1)

[0043] Applying this algorithm to equation (4) it can be seen that thereare two group elements, g₀, g₁ namely Q and λQ, so that 1=2 and twointegers e₀, e₁ namely k₀k₁. The algorithm permits precomputation ofsome of the values and initially G_(i) is precomputed. The results ofprecomputation of G_(i) with t=2 is shown in table 1. TABLE 1 i 0 1 2 3G_(i) 0 g₀ g₁ g₀ + g₁

[0044] After performing a point addition to construct the point: Q+ψ(Q).It is possible to fill in table 1 with the computed elements to yieldtable 2. These elements may be pre-computed and stored in memory asshown at step 58 in FIG. 2. TABLE 2 i 0 1 2 3 G_(i) 0 Q ψ(Q) Q + ψ(Q)

[0045] Before step of the algorithm can be performed, G_(I,) has to bedetermined and accordingly I_(l) through I_(t) have to be found asindicated at 60. A notional matrix or combing table may be constructedusing the binary representation of k_(i). If, for example, k₀=30 andk₁=10, then t has the value five since the maximum number of bits in thebinary representation of k₀ through k₁ is five and the notional matrixconstructed from their binary representation is shown in Table 3. I_(i)is determined by the number represented in the i^(th) column where thefirst row contains the least significant bit, the second row containsthe next significant bit etc. Therefore it can be seen from table 3 thatI₁=I₂(11)=3, I₃=(01)=1, I₄=3, and I₅=0. TABLE 3 i 1 2 3 4 5 k₀ 1 1 1 1 0k₁ 0 1 0 1 0 I_(i) 1 3 1 3 0

[0046] All the components needed to complete the algorithm are availableand the iteration of step three is performed as shown at 62.

[0047] Initially A←O and i is set to 1.

[0048] I_(i)=I₁ which from table 3 is equal to 1. G_(I) ₁ is thereforeG₁ which from table 2 is Q. The value of A from the iteration for I=1 istherefore O+Q=Q.

[0049] For the next iteration where i=2 the initial value of A is Q soA←Q+Q=2Q I_(i)=I₂=3 from table 3. G_(I) ₂ therefore equates to G₃ fromtable 2 which is Q+ψ(Q).

[0050] A+G_(I) ₁ therefore is computed as 2Q+Q+ψQ=3Q+ψQ.

[0051] The iterations continue for each value of i set out in table 4until after the 5^(th) iteration the value for koq=k, λQ, i.e. kQ iscomputed. TABLE 4 i A 1 Q 2 3Q + ψ(Q)  3 7Q + 2ψ(Q) 4 15Q + 5ψ(Q)  530Q + 10ψ(Q)

[0052] Each iteration requires a point doubling (A+A) and a pointaddition (A+G_(I) ₁ ) although in some cases the value of G_(I) ₁ may be0 that will reduce the computation.

[0053] Thus it may be seen that this method will require a number ofpoint doubles equal to max {log₂(k_(i))}, and almost as many pointadditions. The number of point additions can be reduced using windowing(Alg. 14.85 HAC) and exponent recoding techniques. Since the value of iand G_(i) can be precomputed, the point additions are easily performedby retrieving the appropriate precomputed element G_(I) from table 2.Once kP has been computed, it maybe used as the correspondents 12ephemeral public key in encrypting or signing transmissions over thechannel 16.

[0054] To summarize, for cryptographic operations like encryption andDiffie-Hellman, signature, an integer k is required with a correspondingpublic key kQ, computed. The values k₀ and k₁ are chosen at random, eachhaving a length one half the length of n and the term kQ=k₁λQ generatedusing a suitable algorithm. When the k's are chosen in this way, themethod seems to be as secure as the random generation of k itself. Ofcourse it is possible to choose the k_(i)'s to have fewer bits in orderto improve efficiency.

[0055] In the above technique, the method of writing k=k₀+k₁λ inconjunction with simultaneous combing achieves a speed up of thesimultaneous multiple addition algorithm. The technique of writingk=k₀+k₁λ may also be used with the scalar multiplication techniques toadvantage, namely with winding, combing ,etc.

[0056] For some mappings ψ, it is also possible to use more than two subk's. It is possible for some ψ's to write k=k₀+₁λ+k₂λ² allowing thevalue of k to be computed by applying the simultaneous multiple additionalgorithm.

[0057] In a second embodiment of the invention a different form of thegeneralized elliptic curve equation (1) is used, namely:

y²=(x³−ax) mod p  (5)

[0058] Once again, p will be a prime number having at least 160 bits.For this type of curve, the properties required for γ are different. Itis now required to find a value such that γ²=−1 mod p. A change in theproperty of γ requires a different mapping function ψ′ to be used, Inthis embodiment the mapping takes the form ψ′: (x, y)→(−x, γy). If (x,y)is on the curve, then ψ′(x,y) is also on the curve. In this case λ⁴≡1mod n (n is still the number of points on E(F_(p))), and therefore λ canbe calculated. The mapping ψ′(Q)=λ−Q is performed as before and onceagain multiplication by λ can be done very efficiently for this curve.The equation for k in this embodiment is the same as in the firstembodiment and is represented by:

k=(k₀+k₁λ) mod n  (6)

[0059] This equation is the same as in the previous embodiment, havingonly two group elements. Thus using the group elements Q and Q+ψ′(Q) inthe algorithm 1, the point k−Q may be calculated. This computation willrequire a number of point doubles equal to max {log₂(k_(i))}, and asimilar number of point additions. As described earlier the number ofpoint additions can be reduced using windowing and exponent recodingtechniques.

[0060] This method applies to other elliptic curves, so long as thereexists an efficiently computable endomorphism, ψ.

[0061] The above embodiments assume that k can be chosen at random andtherefore k₀ and k₁ can be selected instead and determine k. Forcryptographic protocols, where it is not possible to choose k, it isfirst necessary to find k₀, k₁ of the desired “short” form from thegiven value of k such that k=(k₀+k₁λ) mod n. In some cases, more thantwo k's can be used to advantage.

[0062] As may be seen in tie embodiments described above when a point isknown beforehand, tables can be built to speed multiplication. However,there are cases when multiples of previously unlmown points are required(for example, this can occur in ECDSA verification) and it is thennecessary to take the value of k as provided and then determine suitablerepresentations for k_(i).

[0063] Thus in a third embodiment, system parameters and a value k isprovided, the point Q, the required multiple k, and the complexmultiplication multiple λ are known. It is necessary to determine the“short” k_(i)'s from the value for k, which is predetermined. A methodfor doing this described as follows and illustrated in the flow chart ofFIG. 3. As a pre-computation (not requiring k) we compute two relations:

a₀+b₀λ≡0 mod n

a₁+b₁λ≡0 mod n

[0064] such that a_(i) and b_(i) are numbers smaller than n. It ispreferable that a_(i) and b_(i) are as small as possible, however, thepresent method has advantages even when a_(i) and b_(i) are not minimal.The pair, a_(i) and b_(i), where a_(i) and b_(i) are both small, can beviewed as a vector, u_(i) with a smnall Euclidean length, Typically themethod described below produces k₀ and k₁ having representations onehalf the size of the original k.

[0065] In the present embodiment, kQ can be computed efficiently byutilizing precomputed, short vector representations to obtain anexpression of the form:

k₀Q+λk₁Q

[0066] This is accomplished by using precomputed vectors to derivefractions f₀ and f₁ that do not require knowledge of k. A vector z isgenerated from the combination of fractions f₀ and f₁ and k. The vectorz is used to calculate a second vector v′ where v′=(vo,v₁) and the valueof kQ calculated as

vo¹Q+λv₁ ¹Q  (8)

[0067] The method of achieving this solution is described below ingreater detail.

[0068] To produce small a_(i) and b_(i), it is possible to make use ofthe L³—lattice basis reduction algorithm (HAC p.118), which woulddirectly result in short basis vectors. However, in this preferredembodiment the simple extended Euclidean algorithm is employed on thepair (n, λ). The extended Euclidean algorithm on (n, λ) produces linearcombinations c_(i)n+d_(i)λ=r_(i), where the representation of r_(i)(e.g. bit-length) decreases and the representation of c_(i) and d_(i)increases with i.

[0069] The two smallest values of |(d_(i), r_(i))| resulting from usingthe extended Euclidean algorithm are saved. The size of these vectorsare measured with the squared Euclidean norm |(d_(i),)|=d_(i) ²+r₁ ².The terms in these minimal relations are denoted {circumflex over (d)}₀,{circumflex over (r)}₀ and {circumflex over (d)}₁, {circumflex over(r)}₁. And will typically occur in the middle of the algorithm. Even ifthe minimal relations are not retained, suboptimal relations may stillgive the method an advantage in the calculation of point multiples.

[0070] The values of a_(i) and b_(i) are constructed by defininga_(0=−{circumflex over (r)}) ₀, b₀={circumflex over (d)}₀ anda₁=−{circumflex over (r)}₁, b₁=d₀ all of which may be precomputed. Thenext task is to find a small representation for the multiple k.

[0071] Given the computation of a₀,b₀ and a_(i),b_(i) it is possible todesignate the vectors u₀,u1, where u₀=(a₀, b₀) and u₁=(a₁, b₁). Thesevectors satisfy a_(i)+b_(i)λ=0 (mod n). The multiplication of the groupelements Q by the vector v=(v₀, v₁) is defined as (v₀+v₁λ)Q. Sincea_(i)+b_(i)λ0 (mod n), u₀R=u₁R=0 for any group element R. Hence for anyintegers z₀ and z₁, v′R=(v−z₀u₀−z₁u₁)R for any group element R.

[0072] Integers z₀ and z₁ may be chosen such that the vectorv′=v−z₀u₀−z₁u₁ has components that are as small as possible. Again, thismethod will have an advantage if the components of v′ are small, but notnecessarily minimally so.

[0073] The appropriate z₀ and z₁ are calculated by converting the basisof v into the basis {u₀, u₁}. The conversion between basis involvesmatrix multiplication. To convert the vector v=(v₀, v₁) from the {u₀,u₁} basis to the standard orthonormnal basis {(1,0),(0,1)},$v_{\{{{({1,0})},{({0,1})}}\}} = {{v_{({u_{0},u_{1}})}M} = {\left( {v_{0},v_{1}} \right)\begin{bmatrix}a_{0} & b_{0} \\a_{1} & b_{1}\end{bmatrix}}}$

[0074] To convert in the other direction, from the standard orthonormalbasis {(1,0),(0,1)} to the (u₀, u₁) basis, the multiplication is simplyby the inverse of M,$v_{({u_{0},u_{1}})} = {{v_{\{{{({1,0})},{({0,1})}}\}}{{inverse}(M)}} = {v_{\{{{({1,0})},{({0,1})}}\}}{\frac{1}{{a_{0}b_{1}} - {a_{1}b_{0}}}\begin{bmatrix}b_{1} & {- b_{0}} \\{- a_{1}} & a_{0}\end{bmatrix}}}}$

[0075] Since the vector v=k, 0) has a zero component, the bottom row ofinverse(M) is not required, and therefore to convert to the {u₀, u₁}basis only the fractions$f_{0} = \frac{b_{1}}{{a_{0}b_{1}} - {a_{1}b_{0}}}$ and$f_{1} = \frac{b_{0}}{{a_{0}b_{1}} - {a_{1}b_{0}}}$

[0076] are needed.

[0077] The fractions f₀ and f₁ may be precomputed to enough precision sothat this operation may be effected only with multiplication. It shouldbe noted that the computations leading to these fractions do not dependupon k, therefore they can be computed once when the elliptic curve ischosen as a system parameter, and do not need to be recalculated foreach k. Similarly the vectors v, u₀ and u₁ may be precomputed andstored.

[0078] Once a value of k is selected or determined the value of kQ maybe computed by first calculating z=(z₀, z₁), where z is defined as (z₀,z₁)=(round(kf₀), round(kf₁)). Other vectors near to z will also beuseful, therefore rounding could be replaced with floor or ceilingfunctions or some other approximation.

[0079] Once a suitable z has been deteried, an efficient equivalent to v(k,0) is calculated by v′=(v₀′, v₁′)=v−z₀u₀−z₁u₁. The phrase “efficientequivalent” implies a vector v′ such that v′P=vP and v′ has smallcoefficients. The value kQ is then calculated as v₀′Q+v₁′λQ. This valuecan be calculated using simultaneous point addition as described above,with enhanced efficiency obtained from the use of non-adjacent form(NAF) recoding as described above and as described in H.A.C. 14.7 atpage 627, Thus, even where k is predetermined, values of k₀ and k₁ canbe computed and used with the mapping function to obtain a value of kQand hus he key pair k, kQ.

[0080] For the case where k is to be separated into 3 portionsk=k₀+k₁λ+k₂λ², small vectors can be obtained from L³-row-reducing$\begin{bmatrix}1 & 0 & {- \lambda^{2}} \\0 & 1 & {- \lambda} \\0 & 0 & {- n}\end{bmatrix}\quad {{to}\quad\begin{bmatrix}u_{2} \\u_{1} \\u_{0}\end{bmatrix}}$

[0081] A small vector equivalent (three-dimensional row) can be obtainedin a similar way to the two-dimensional case.

[0082] Using these methods to determine the value of k−Q greatly reducesthe processing power required by the cryptographic processors 12. Italso increases the speed at which these repetitive calculations can bedone which, in turn, reduces the time to transfer information.

[0083] It will be appreciated that once the scalar multiple k has beenrepresented in terms of shortened components k=k₀+k₁λ+k₂λ+. . .k_(m-1)λ^(m-1), other options for efficient elliptic curve scalarmultiplication may be used in place of or in conjunction with thesimultaneous multiple addition algorithm. These options includewindowing (fixed and sliding), combing, bit recoding and combinations ofthese techniques.

[0084] One particularly beneficial technique permits tables built forone component of the multiplication, say k₀, to be reused for othercomponents k₁ etc. This is accomplished by transforming the computedtable elements by applying the mapping γ as required.

[0085] As a further exemplification, an embodiment where k can be recastas k=k₀+k₁λ+k₂λ², where k has m-bits and k_(i) have roughly m/3 bits isdescribed below.

[0086] Once the components ki have been determined, they may be recodedfrom the binary representation to the signed binary representationhaving less non-zero bits. This recoding can take the Non-Adjacent-Form(NAF), where every 1 or −1 bit in the representation if k_(i) isnon-adjacent to another non-zero in the signed binary string. Thisrecoding is described in H.A.C. 14.7 p. 627.

[0087] Once each k_(i) has been recoded, a table can be constructed toaid in computing k_(i)λ^(i)P.

[0088] A NAF windowing table precomputes certain short-bit lengthmultiples of λ^(i)P. The width of the window determines the size of thetable. As k_(i) has been recordedto have no adjacent non zeros, oddwindow widths are suitable. A 3-bit wide NAF window would contain 1 10110 − 1

[0089] The recoded k_(i) values are built by concatenating thesewindows, and padding where necessary with zeros (H.A.C., p. 616).

[0090] The required number of additions can be reduced with use of thistable, since it is necessary to add or subtract an EC point only forevery window encountered instead of for every non zero bit.

[0091] Initially therefore this technique is applied to the computationof k₀P.

[0092] The table built for the k₀P calculation can be applied to thek,λP calculation if the table elements are mapped with the ψ mappingusing the operator γ. Similarly, k₂λ²P can be accelerated by using thetable built for k₀P, but mapping the table elements with γ².

[0093] In applying the sliding window technique to the components, onlyone set of doublings need be performed.

[0094] To illustrate this example of a preferred embodiment thefollowing example will be used:

If k=[1011010111101]₂+[111010101101]₂λ,

[0095] then recoding

[0096] k=[10−100−10−100−101]+[1000−10−10−10−101]λ, =k₀′=k₁′λ

[0097] A 3-bit window table on P is precomputed containing 1·P,[10−1]·P, [101]·P. This requires two EC additions, and two EC doublings.

[0098] After this, kP can be calculated as

kP=[10−100−10−100−101]P+[1000−10−10−10−101]·λP

[0099] by adding/subtracting elements from the table.

[0100] This can be done using an accumulator A as follows: A ← 0 ;initialize A += ψ(1 · P) ; consuming the top bit of k₀ ^(r) A ← 2A ;double A A ← 2A A ← [10 − 1] P ; consuming the top 3 bits of k₀ ^(r) A ←2⁴A ; A −= [101]ψP ; consuming a 3 bit window of k₁ ^(r) A ← 2A ; doubleA A −= [101]P ; consuming 3 bits of k₁ ^(r) A ← 2⁴A A −= [101]ψP ;consuming 3 bits of k₁ ^(r) A ← 2²A A −= [10 − 1]P ; consuming the lastof k₀ ^(r) A += ψP ; producing kP.

[0101] It will be recognized from the above example that the windows ink₀ and k₁ need not be aligned. This is evidenced by the fact that theaccumulator is doubled between computations of the windows in k₀ and thecomputations of the windows in k₁, indicating a shift of window betweenevaluating k₀P and k₁P.

[0102] In summary, the previously described technique is as follows.Given an elliptic curve E and an endomorphism ψ, there corresponds aninteger λ such that λQ=ψ(Q) for all points Q∈E. Select an integer m andcompute an equivalent number m of “short basis vectors” b₁, b₂, . . . ,bm . . . Each such basis vector corresponds to an integer, and each suchinteger is divisible by the number of points n=#E(F_(p) ^(m)) (i.e. thenumber of points). Now, given an integer k, (0<k<n), we writek=Σk_(i)·λ¹, where the k_(i)'s are chosen to be “short”. This is done byfinding the difference between a certain vector (which represents k) anda nearby vector in the lattice generated by b₁, b₂, . . . , b_(m).

[0103] The following embodiment explicitly describes an application ofthe previously described technique (endomorphism and basis conversionand “Shamir's trick”) to elliptic curves defined over composite fields.In particular, we describe an application to curves E(F_(p) ^(m)) wherep is an odd prime is described. The following embodiments exemplifytechniques for such curves.

[0104] This technique is described in the case where the map ψ is theFrobenius map ψ(x,y)=(x^(p),y^(p)) and E′_(A,B)(F_(p) ^(m)) whereA,B∈F_(p).

[0105] In this case, it is known that the Frobenius map satisfies theψ²−tψ+p=0, where t=p+1−#E(F_(p) ^(m)).

[0106] It follows that λ²−tλ+p=0 mod n and so λ^(2−I)−pλ^(i)=0 mod n.

[0107] Note that the vectors; (λ^(m-1) . . . λ², λ¹, λ⁰) b₁ (0, 0, 0, .. . 0, 1, -t, p) b₂ ( 1, -t, p, 0) (1, -t, p, 0, 0, . . . . . ., 0) (-t,p, 0, 0, . . . . . ., 0, 1) b_(m) (p, 0, 0, 0, . . . 0, 1, -t)

[0108] consist of m “short” basis vectors of the vector space Q^(n). Itfollows that to compute k−Q on such a curve we can proceed using thevectors b₁,b₂. . . b_(m) and the technique described previously.

[0109] In the above embodiments it will be appreciated that k,λQ can beobtained from ψ(kQ) is the mapping is more efficient than addition.

[0110] In a firther embodiment, the above methods are used to verify adigital signature on a message. A sender sends a message m, a signaturecomponent s, and a short term public key R=kP. As indicated above, in atypical digital signature protocol, the signature component s isgenerated using the formula s=ae+k. The value a is a long term privatekey of the sender, and e is a hash of the message m.

[0111] Verification requires computing the value sP=eQ which shouldcorrespond to R, where Q=aP is a long term public key of the sender.This is the case since k=s−ae.

[0112] Accordingly, Algorithm 1 may be applied to compute a sumg₀e₀+g₁e₁ of scalar multiples of two group elements go and go, where thescalars are s and −e and the group elements are P and Q. A furtherimprovement is obtained by using the NAF as above.

[0113] For ease of explanation, the method will be illustrated forcomputing αP+βQ. In the preferred embodiment of verfying a signature,α=s and β=−e.

[0114] In this case, it may no longer be possible to reuse tables builtfor one component of the multiplication for other components, unless therelationship between the points P and Q is known to the verifier.Usually, the verifier knows P and Q, but not the scalar a that related Pand Q (i.e. Q=aP). In this case, it is necessary to use a table for eachof P and Q. Then a sliding window method may be used byadding/subtracting elements from the tables.

[0115] The following example illustrates this embodiment:

If α=[101101011101]₂ and β=[111010101101]₂,

then k=[1011010111]₂+[111010101101]₂ a,

and recoding α=[10−100−10−100−101]₂ and β=[1000−10−10−10−101]₂,

[0116] A 3-bit window table on P and a 3-bit window table on Q areprecomputed containing 1·P, [10−1]·P, [101]·P and 1·Q, [10−1]·Q, [101]·Qrespectively. This requires two EC additions, and two EC doublings foreach table.

[0117] After this, kP can be calculated as

kP=αP+βQ=[10-100-10-100-101]P +[1000-10-10-10-101]·Q

[0118] by adding/subtracting elements from the tables.

[0119] This can be done using an accumulator A as follows: A ← 0 ;initialize A += 1 · Q ; consuming the top bit of β A ← 2A ; double A A ←2A A += [10 − 1]P ; consuming the top 3 bits of α A ← 2⁴A ; A −= [101]Q; consuming a 3 bit window of β A ← 2A ; double A A −= [101]P ;consuming 3 bits of β A ← 2⁴A A −= [101]Q ; consuming 3 bits of β A ←2²A A −= [10 − 1]P ; consuming the last of α A += Q ; producing kP.

[0120] The signature is accepted as originating from the sender if thecalculated value of kP is equal to the value of R received with thesignature.

[0121] Again, it will be appreciated that the windows need not bealigned and that shiting of the windows produces a double of theaccumulator for each bit shift of the window.

[0122] Although the invention has been described with reference tocertain specific embodiments, various modifications thereof will beapparent to those skilled in the art without departing from the spiritand scope of the invention as outlined in the claims appended hereto.

We claim:
 1. A method for multiplying an elliptic curve point Q(x,y) bya scalar to provide a point kQ, the method comprising the steps of: a)selecting an elliptic curve over a finite field F such that there existsan endomorphism ψ where ψ(Q)=λ·Q for all points Q(x,y) on the ellipticcurve, and λ is an integer, b) establishing a representation of saidscalar k as a combination of components k_(i) and said integer λ c)combining said representation and said point Q to form a compositerepresentation of a multiple corresponding to kQ and d) computing avalue corresponding to said point kQ from said composite representationof kQ.
 2. A method according to claim 1 wherein each of said componentsk_(i) is shorter than said scalar k.
 3. A method according to claim 1wherein said components k_(i) are initially selected and subsequentlycombined to provide said scalar k.
 4. A method according to claim 1wherein said representation is of the form$k_{i} = {\sum\limits_{i = 0}^{i =}\quad {k_{i}\lambda^{i}}}$

mod n where n is the number of points on the elliptic curve.
 5. A methodaccording to claim 4 wherein said representation is of the formk₀+k_(1.)
 6. A method according to claim 1 wherein said scalar k has apredetermined value and said components k.
 7. A method according toclaim 3 wherein said value of said multiple kQ is calculated usingsimultaneous multiple addition.
 8. A method according to claim 7 whereingrouped terms G_(I) utilized in said simultaneous multiple addition areprecomputed.
 9. A method according to claim 6 wherein said componentsk_(i) are obtained by obtaining short basis vectors (u₀, u₁) of thefield F, designating a vector v as (k,O), converting v from a standard,orthonomal basis to the (u₀,u₁) basis, to obtain fractions f₀f₁representative of the vector v, applying said fractions to k to obtain avector z, calculating an efficient equivalent v′ to the vector v andusing components of the vector v′ in the composite representation of kQ.10. A method of generating in an elliptic curve cryptosystem a key pairhaving a integer k providing a private key and a public key kQ, where Qis a point on the curve, a) selecting an elliptic curve over a finitefield F such that there exists an endomorphism ψ where ψ(Q)=λQ for allpoints Q (x,y) on the elliptic curve, λ is an integer, b) establishing arepresentation of said key k as a combination of components k_(i) andsaid integer λ, c) combining said representation and said point Q toform a composite representation of a multiple corresponding to thepublic key kQ and d) computing a value corresponding to said key kQ fromsaid composite representation of kQ.
 11. A method according to claim 10including a method according to any one of claims 2 to
 9. 12. A methodof computing a coordinate of a point kP on an elliptic curve resultingfrom a point multiplication of an initial point P by a scalar k, saidmethod comprising the steps of: a) decomposing said scalar k into a pairof components k₀, k₁ for point multiplication to obtain respectivepoints on said curve which when combined provide said point kP; b)determining a signed representation in non-adjacent form of each of saidfirst and second components; c) generating a table having a plurality ofsigned bit combinations contained in said representations andcorresponding point multiples of said combinations to provide portionsof said respective points; d) establishing for each of saidrepresentations a window having a width less then the length of each ofsaid representations; e) initiating a sequential examination of saidrepresentations by said windows to obtain a position for one of saidwindows in one of said representations contaning a respective one ofsaid combinations in said table; f) retrieving from said table the oneof said point multiples corresponding to said respective one of saidsigned bit combinations in said table to obtain therefrom one of saidportions; g) accumulating said portion and continuing examination ofsaid representations with a doubling of said accumulator for eachbit-wise shift of said windows to obtain a representation of saidcoordinate of said point kP in said accunulator.
 13. A method accordingto claim 12, wherein one of said respective points is derived from saidinitial point P and one of said components using an endomorphism of saidcurve.
 14. A method according to claim 13, wherein said portions of saidone of said respective points are derived from portions of the other ofsaid respective points using said endomorphism.
 15. A method accordingto claim 12, wherein one of said respective points is derived from saidinitial point P, one of said components, and a private key.
 16. A methodaccording to claim 15, wherein said portions of said respective pointsare precomputed and stored in said table.